Debian
sudo package

Wrong path to LDAP configuration file supplied in config option

Bug #140461 reported by Etienne Goyer
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Debian)
Fix Released
Unknown
sudo (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: sudo-ldap

As per debian/rules in the sudo source package, the configure script get passed:

               --with-ldap-conf-file=/etc/ldap/ldap.conf \

This is clearly wrong, as README.LDAP state:

    Configure your /etc/ldap.conf
    =============================
    The /etc/ldap.conf file is meant to be shared between sudo,
    pam_ldap, nss_ldap and other ldap applications and modules.

In Ubuntu, the configuration file of nss_ldap and pam_ldap /etc/ldap.conf. /etc/ldap/ldap.conf is used by OpenLDAP client utilities, such as ldapsearch, lpdapadd, etc, and use a different format that the pam_ldap/nss_ldap config files. Thus, it make no sense to use /etc/ldap/ldap.conf for the LDAP configuration of sudo.

I think relying on the configuration file of another software package is really a problem with upstream, but we could fix it in Ubuntu by having the configure line discussed above changed to :

               --with-ldap-conf-file=/etc/ldap.conf \

Bug Watch Updater (bug-watch-updater)
Changed in sudo:
status: Unknown → New
Revision history for this message
lcars (andrea-inversepath) wrote :

Confirmed, but it would be better to have /etc/sudo-ldap.conf rather than sharing it with the default /etc/ldap.conf (which might be used by other packages). This also because any serious sudo-ldap configuration would require a binding password/dn for accessing the records. Additionally /etc/sudo-ldap.conf must be root-readable only, otherwise it would be like leaking /etc/sudoers to all users, which is not desirable.

Revision history for this message
Buddy (hoffmann-ellumination) wrote :

guys it has been almost a year. Fix it. Either way is fine. Just fix it.

Revision history for this message
William Grant (wgrant) wrote :

This is nice and confusing!

Changed in sudo:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Olli Helenius (liff) wrote :

As far as I can tell, /etc/ldap.conf (pam/nss) and /etc/ldap/ldap.conf don't even have the same configuration parameters. Bug #115967 is sort of related (TLS_CACERT/TLS_CACERTFILE).

See man pam_ldap (package libpam-ldap) vs. man ldap.conf (package libldap-<VERSION>).

Revision history for this message
Timur Bakeyev (timur-freebsd) wrote :

Well, now it's *TWO* years since this bug was reported and it is still new :>

Yesterday just again hit it, spending half-day trying to figure why /etc/ldap.conf doesn't give any effect, despite it is described in the docs.

After all old good strace did help to figure out the truth, but... But... It's just insane that you have to do this sort of things to make package to work.

On an unrelated note, sudo 1.7.0 was released over two months ago, providing better LDAP support, bit still - no traces of it even in unstable...

Revision history for this message
Matt Kassawara (ionosphere80) wrote :

This issue (and lack of a 1.7.0 package) appears fixed in 1.7.0-1ubuntu1 available from the Karmic development repository.

From debian/changelog...

  * fix ldap config file path for sudo-ldap package, including creating
    a symlink in postinst and cleaning it up in postrm for the sudo-ldap
    package, closes: #430826

From debian/rules...

--with-ldap-conf-file=/etc/sudo-ldap.conf

I've verified this package works as expected on Karmic and also installs cleanly on Jaunty. This bug should probably get marked as a duplicate of Debian bug #430826 and closed.

Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 140461] Re: Wrong path to LDAP configuration file supplied in config option

 status fixreleased

Martin Pitt (pitti)
Changed in sudo (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in sudo (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.